You can use the GroupWise GWIA’s Access Control feature to configure a user’s ability to send and receive SMTP/MIME messages to and from Internet recipients and to access his or her mailbox from POP3 or IMAP4 email clients. In addition to enabling or disabling a user’s access to features, you can configure specific settings for the features. For example, for outgoing SMTP/MIME messages, you can limit the size of the messages or the sites to which they can be sent. By default, there are no limitations.
Access Control can be implemented at a user, distribution list, post office, or domain level.
Choose from the following information to learn how to set up and use Access Control.
A class of service is a specifically defined configuration of GWIA privileges. A class of service controls the following types of access activities:
Whether SMTP/MIME messages are allowed to transfer to and from the Internet
Whether SMTP/MIME messages are allowed to transfer to and from specific domains on the Internet
The maximum size of SMTP/MIME messages that can transfer to and from the Internet
Whether SMTP/MIME messages generated by GroupWise rules are allowed to transfer to the Internet
Whether IMAP4 clients are allowed to access the GroupWise system
Whether POP3 clients are allowed to access the GroupWise system, and if allowed, how messages to and from POP3 clients are managed by the GroupWise system
The default class of service, which all users belong to, allows incoming and outgoing SMTP/MIME messages, and allows POP3 and IMAP4 access. You can control user access, at an individual, distribution list, post office, or domain level, by creating different classes of service and adding the appropriate members to the classes. For example, you could create a class of service that limits the size of SMTP/MIME messages for a selected individual, distribution list, post office, or domain.
Because you can assign membership at the user, distribution list, post office, and domain level, it is possible that a single user can be a member of multiple classes of service. This conflict is resolved hierarchically, as shown in the following table:
Membership assigned to a user through a... |
Overrides membership assigned to the user through the... |
---|---|
domain |
|
post office |
|
distribution list |
|
user |
|
If a user’s membership in two classes of service is based upon the same level of membership (for example, both through individual user membership), the class that applies is the one that allows the most privileges.
IMPORTANT:The GWIA uses the message size limit set for the default class of service as the maximum incoming message size for your GroupWise system. Therefore, you should set the message size for the default class of service to accommodate the largest message that you want to allow into your GroupWise system. As needed, you can then create other classes of service with smaller message size limits to restrict the size of incoming messages for selected users, distribution lists, post offices, or domains. Methods for restricting message size within your GroupWise system are described in Section 12.3.5, Restricting the Size of Messages That Users Can Send.
Attachments to incoming SMTP messages are included in the mime.822 file, in addition to being attached to the message. Therefore, attachments contribute twice to the size of the overall message. Take this account when determining the maximum incoming message size for your GroupWise system.
In ConsoleOne, right-click the GWIA object, then click
.Click
to display the Access Control Settings page.Click
to display the Create New Class of Service dialog box.Type a name for the class, then click
to display the Edit Class of Service dialog box.On the
tab, choose from the following options:Inherit Access: Select this option if you want members of this class of service to inherit their SMTP Incoming access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.
Allow Incoming Messages: Select this option to allow members of the class of service to receive email messages through the GWIA. You can use the
option to prevent messages from specific Internet sites.Prevent Incoming Messages: Select this option to prevent email messages coming from the Internet. You can use the
option to allow messages from specific Internet sites.NOTE:If a member of the class of service to allow or prevent has an alias, you must also add the member’s alias to the class of service. Ongoing use of aliases is not recommended. For more information, see Section 5.14, Gateway Alias Migration.
Prevent Messages Larger Than: This option is available only if you chose
or . In the case of , this option only applies to messages received from Internet sites listed in the list.If you want to set a size limit on incoming messages, select the limit.
Internet messages that exceed the limit are not delivered. The sender receives an email message indicating that the message is undeliverable and including the following explanation:
Message exceeds maximum allowed size
IMPORTANT:If you have also set a message size limit for your MTAs, as described in Section 42.2.1, Restricting Message Size between Domains, make sure that the MTA message size limit is equal to or greater than the GWIA message size limit.
Exceptions: This option is available only if you chose
or .Prevent Messages From: If you chose to allow incoming messages but you want to prevent messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the
list.Allow Messages From: Conversely, if you chose to prevent incoming messages but you want to allow messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the
list.If you want to allow messages where the user name is blank, add Blank-Sender-User-ID to the
list.Click
, then choose from the following options:Inherit Access: Select this option if you want members of this class of service to inherit their
access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.Allow Outgoing Messages: Select this option to allow members of the class of service to send email messages over the Internet. You can use the
option to prevent messages from being sent to specific Internet sites.Prevent Outgoing Messages: Select this option to prevent members of the class of service from sending email messages over the Internet. You can use the
option to allow messages to be sent to specific Internet sites.Prevent Messages Larger Than: This option is available only if you chose
or .If you want to set a size limit on outgoing messages, specify the limit.
Exceptions: This option is available only if you chose
or .If you chose to allow outgoing messages but you want to prevent messages from being sent to specific Internet sites (IP addresses or DNS hostnames), add the sites to the
list.Conversely, if you chose to prevent outgoing messages but you want to allow messages to be sent to specific Internet sites (IP addresses or DNS hostnames), add the sites to the
list.Allow Replies: This option is available only if you chose
or .Turn on this option to allow the GWIA to send rule-generated replies to messages (such as vacation rule messages).
In addition, you can use the /blockrulegenmsg startup switch to allow some types of rule-generated messages while blocking others.
Exceptions: Click
to create a list of specific Internet addresses that are handled opposite to the setting.Allow Forwards: This option is available only if you chose
or .Turn on this option to allow the GWIA to forward rule-generated messages (which can be a security issue).
In addition, you can use the /blockrulegenmsg startup switch to allow some types of rule-generated messages while blocking others.
Exceptions: Click
to create a list of specific Internet addresses that are handled opposite to the setting.Click
, then choose from the following options:Inherit Access: Select this option if you want members of this class of service to inherit their IMAP4 access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.
Allow Access: Select this option to allow members of the class to send and receive messages with an IMAP4 client.
Prevent Access: Select this option to prevent members of the class from sending and receiving messages with an IMAP4 client.
Click POP3, then choose from the following options:
Inherit Access: Select this option if you want members of this class of service to inherit their POP3 access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.
Allow Access: Select this option to allow members of the class to download their GroupWise messages to a POP3 client.
Prevent Access: Select this option to prevent downloading GroupWise messages to a POP3 client.
Delete Messages from GroupWise Mailbox after Download: This option applies only if you selected
.If you turn on this option, messages downloaded from a GroupWise Mailbox to a POP3 client are moved to the Trash folder in the GroupWise Mailbox.
POP3 client users can enable this option by using the userID:d login option when initiating their POP session. For more information, see User ID Login Options.
Purge Messages from GroupWise Mailbox after Download: This option applies only if you selected
.If you turn on this option, messages downloaded from a GroupWise Mailbox are moved to the Mailbox’s Trash folder and then emptied, completely removing the messages from the Mailbox.
POP3 client users can enable this option by using the userID:p login option when initiating their POP session. For more information, see User ID Login Options.
Convert Messages to MIME Format When Downloading: This option applies only if you selected
.If you turn on this option, messages downloaded to a POP3 client are converted to the MIME format.
POP3 client users can enable this option by using the userID:m login option when initiating their POP session. They can disable it by using the userID:n login option; this converts messages to RFC-822 format. For more information, see User ID Login Options.
High Performance on File Size Calculations: This option applies only if you selected
.POP3 clients calculate the size of each message file before downloading it. Turn on this option if you want to assign a size of 1 KB to each message file. This eliminates the time associated with calculating a file’s actual size.
POP3 client users can enable this option by using the userID:s login option when initiating their POP session. For more information, see User ID Login Options.
Number of Days Prior to Today to Get Messages From: This option applies only if you selected
.Select the number of days to go back to look for GroupWise Mailbox messages to download to the POP3 client. The default is 30 days.
POP3 client users can override this option by using the userID:t=x login option when initiating their POP session. For more information, see User ID Login Options.
Maximum Number of Messages to Download: This option applies only if you selected
.Select the maximum number of messages a user can download at one time from a GroupWise Mailbox to a POP3 client. The default is 100 messages.
POP3 client users can override this option by using the userID:l=x login option when initiating their POP session. For more information, see User ID Login Options.
Click
to display the Select GroupWise Object dialog box.Select
, , , or to display the list you want.In the list, select the domain, post office, distribution list, or user you want, then click
to add the object as a member in the class. You can Control+click or Shift+click to select multiple users.To add additional domains, post offices, distribution lists, or users as members of the class of service, select the class of server, then click
to display the Select GroupWise Object dialog box.Click
(on the Settings page) when you are finished adding members.If you created multiple classes of service, you might not know exactly which settings are being applied to a specific object (domain, post office, distribution list, or user) and which class of service the setting is coming from. To discover an object’s settings, you can test the object’s access.
In ConsoleOne, right-click the GWIA object, then click
.Click
to display the Access Control Settings page.Click
to display the Select GroupWise Object dialog box.You use this dialog box to select the object (domain, post office, distribution list, or user) whose access you want to test.
Select
, , , or to display the list you want. For example, if you want to see what access an individual user has, select .In the list, select the object you want to view, then click
.The tabbed pages show the access control settings for
, , , and as they are applied to that user, distribution list, post office, or domain.To view the source for a specific setting, select the setting in the
boxThe
fields display the class of service being applied to the object. It also displays the Member ID through which the class is being applied.When you are finished, click
.The Access Control database stores the information for the various classes of service you have created. If any problems occur with a class of service, you can validate the database to check for errors with the records and indexes contained in the database. If errors are found, you can recover the database.
The Access database, gwac.db, is located in the domain\wpgate\gwia directory.
In ConsoleOne, right-click the GWIA object, then click
.Click
to display the Database Management page.Click
.After the database has been validated, click
.If errors were found, see Recovering the Database below.
If you encountered errors when validating the database, you must recover the database. During the recovery process a new database is created and all intact records are copied to the new database. Some records might not be intact, so you should check the classes of services to see if any information was lost.
In ConsoleOne, right-click the GWIA object, then click
.Click
to display the Database Management page.Click
.Click
.Check your class of service list to make sure that it is complete.